Exfiltration: Cloud SQL Restore Backup to External Organization

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

Data exfiltration from a Cloud SQL backup is detected by examining audit logs to determine whether data from the backup has been restored to a Cloud SQL instance outside the organization or project. All Cloud SQL instance and backup types are supported.

To respond to this finding, do the following:

Step 1: Review finding details

  1. Open an Exfiltration: Cloud SQL Restore Backup to External Organization finding, as directed in Reviewing findings.

  2. On the Summary tab of the finding details panel, review the information in the following sections:

    • What was detected, especially the following fields:
      • Principal email: the account used to exfiltrate the data.
      • Exfiltration sources: details about the Cloud SQL instance the backup was created from.
      • Exfiltration targets: details about the Cloud SQL instance the backup data was restored to.
    • Affected resource, especially the following fields:
      • Resource full name: the resource name of the backup that was restored.
      • Project full name: the Google Cloud project that contains the Cloud SQL instance that the backup was created from.

  3. Related links, especially the following fields:

    • Cloud Logging URI: link to Logging entries.
    • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
    • Related findings: links to any related findings.

  4. Click the JSON tab.

  5. In the JSON, note the following fields.

    • resource:
      • parent_name: the resource name of the Cloud SQL instance the backup was created from
    • evidence:
      • sourceLogId:
        • projectId: the Google Cloud project that contains the source BigQuery dataset.
    • properties:
      • restoreToExternalInstance:
        • backupId: the ID of the backup run that was restored

Step 2: Review permissions and settings

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. If necessary, select the project of the instance that is listed in the projectId field in the finding JSON (from Step 1).

  3. On the page that appears, in the Filter box, enter the email address listed in Principal email (from Step 1) and check what permissions are assigned to the account.

Step 3: Check logs

  1. In the Google Cloud console, go to Logs Explorer by clicking the link in Cloud Logging URI (from Step 1). The Logs Explorer page includes all logs related to the relevant Cloud SQL instance.

Step 4: Research attack and response methods

  1. Review the MITRE ATT&CK framework entry for this finding type: Exfiltration Over Web Service: Exfiltration to Cloud Storage.
  2. Review related findings by clicking the link on the Related findings row. (from Step 1). Related findings have the same finding type on the same Cloud SQL instance.
  3. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

  • Contact the owner of the project with exfiltrated data.
  • Consider revoking permissions the principal that is listed on the Principal email row in the Summary tab of the finding details until the investigation is completed.
  • To stop further exfiltration, add restrictive IAM policies to the impacted Cloud SQL instances.
  • To limit access to the Cloud SQL Admin API, use VPC Service Controls.
  • To identify and fix overly permissive roles, use IAM Recommender.

What's next